b'Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n            Information Technology Management\n            Letter for the FY 2009 U.S. Citizenship\n             and Immigration Services Financial\n                        Statement Audit\n\n\n\n\nOIG-10-93                                             June 2010\n\x0c                                                                                Office of Inspector General\n\n                                                                     U.S.\t Department ofHomeland Security\n                                                                                    Washington, DC 25028\n\n\n\n\n                                                               Homeland\n                                                               Security\n                             JUN - 8 ZUlU\n\n                                             Preface\n\nThe Department of Homeland Security (DHS) Office ofInspector General (OIG) was established\nby the Homeland Security Act of2002 (Public Law 107-296) by amendment to the Inspector\nGeneral Act of 1978. This is one of a series of audit, inspection, and special reports prepared as\npart of our oversight responsibilities to promote economy, efficiency, and effectiveness within\nthe department.\n\nThis report presents the information technology (IT) management letter for the FY 2009 U.S.\nCitizenship and Immigration Services (USCIS) financial statement audit as of September 30,\n2009. It contains observations and recommendations related to information technology internal\ncontrol that were summarized in the Independent Auditors Report dated January 15, 2010 and\n                                                           J\n\n\npresents the separate restricted distribution report mentioned in that report. The independent\naccounting firm KPMG LLP (KPMG) performed the audit procedures at USCIS in support of the\nDHS FY 2009 financial statements and prepared this IT management letter. KPMG is\nresponsible for the attached IT management letter dated March 10,2010, and the conclusions\nexpressed in it. We do not express opinions on DHS\' financial statements or internal control or\nconclusion on compliance with laws and regulations.\n\nThe recommendations herein have been developed to the best knowledge available to our office,\nand have been discussed in draft with those responsible for implementation. We trust that this\nreport will result in more effective, efficient, and economical operations. We express our\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n                                       ~A\n                                     Frank DeffePf-\n                                     Assistant Inspector General\n                                     Information Technology Audits\n\x0c                                KPMG LLP\n                                2001 M Street, NW\n                                Washington, DC 20036\n\n\n\n\nMarch 10, 2010\n\nInspector General\nU.S. Department of Homeland Security\nChief Information Officer and Chief Financial Officer\nU.S. Citizenship and Immigration Services\n\nLadies and Gentlemen:\n\nWe have audited the consolidated balance sheet of the U.S. Citizenship and Immigration Services\n(USCIS), a component of the U.S. Department of Homeland Security (DHS), as of September 30,\n2009 and the related consolidated statements of net cost, changes in net position, and the combined\nstatement of budgetary resources (hereinafter referred to as \xe2\x80\x9cconsolidated financial statements\xe2\x80\x9d) for\nthe years then ended. In planning and performing our audit of the consolidated financial statements\nof USCIS, in accordance with auditing standards generally accepted in the United States of\nAmerica, we considered USCIS\xe2\x80\x99s internal control over financial reporting (internal control) as a\nbasis for designing our auditing procedures for the purpose of expressing our opinion on the\nconsolidated financial statements but not for the purpose of expressing an opinion on the\neffectiveness of USCIS\xe2\x80\x99s internal control. Accordingly, we do not express an opinion on the\neffectiveness of USCIS\xe2\x80\x99s internal control.\nIn planning and performing our fiscal year 2009 audit, we considered USCIS\xe2\x80\x99s internal control over\nfinancial reporting by obtaining an understanding of the design effectiveness of USCIS\xe2\x80\x99s internal\ncontrol, determining whether internal controls had been placed in operation, assessing control risk,\nand performing tests of controls as a basis for designing our auditing procedures for the purpose of\nexpressing our opinion on the consolidated financial statements. To achieve this purpose, we did\nnot test all internal controls relevant to operating objectives as broadly defined by the Federal\nManagers\xe2\x80\x99 Financial Integrity Act of 1982. The objective of our audit was not to express an\nopinion on the effectiveness of USCIS\xe2\x80\x99s internal control over financial reporting. Accordingly, we\ndo not express an opinion on the effectiveness of USCIS\xe2\x80\x99s internal control over financial reporting.\nA deficiency in internal control exists when the design or operation of a control does not allow\nmanagement or employees, in the normal course of performing their assigned functions, to prevent,\nor detect and correct misstatements on a timely basis. A significant deficiency is a deficiency, or a\ncombination of deficiencies, in internal control that is less severe than a material weakness, yet\nimportant enough to merit attention by those charged with governance. A material weakness is a\ndeficiency, or a combination of deficiencies, in internal control, such that there is a reasonable\npossibility that a material misstatement of the entity\xe2\x80\x99s financial statements will not be prevented, or\ndetected and corrected on a timely basis.\nOur audit of USCIS as of, and for the year ended, September 30, 2009 disclosed a material\nweakness in the areas of information technology (IT) configuration management, security\nmanagement, access controls, and segregation of duties. These matters are described in the IT\nGeneral Control Findings by Audit Area section of this letter.\n\n\n\n\n                                 KPMG LLP, a U.S. limited liability partnership, is the U.S.\n                                 member firm of KPMG International, a Swiss cooperative.\n\x0cThe material weakness described above is presented in our Independent Auditors\xe2\x80\x99 Report, dated\nJanuary 15, 2010. This letter represents the separate restricted distribution letter mentioned in that\nreport.\nThe control deficiencies described herein have been discussed with the appropriate members of\nmanagement, and communicated through a Notice of Finding and Recommendation (NFR). Our\naudit procedures are designed primarily to enable us to form an opinion on the consolidated\nfinancial statements, and therefore may not bring to light all weaknesses in policies or procedures\nthat may exist. We aim to use our knowledge of USCIS gained during our audit engagement to\nmake comments and suggestions that are intended to improve internal control over financial\nreporting or result in other operating efficiencies.\nThe Table of Contents on the next page identifies each section of the letter. We have provided a\ndescription of key USCIS financial systems and IT infrastructure within the scope of the FY 2009\nUSCIS consolidated financial statement audit in Appendix A; a description of each internal control\nfinding in Appendix B; and the current status of the prior year NFRs in Appendix C. Our comments\nrelated to certain additional matters have been presented in a separate letter to the Office of\nInspector General and the USCIS Chief Financial Officer dated January 15, 2010.\n\nThis communication is intended solely for the information and use of DHS and USCIS\nmanagement, DHS Office of Inspector General, OMB, U.S. Government Accountability Office, and\nthe U.S. Congress, and is not intended to be and should not be used by anyone other than these\nspecified parties.\n\nVery truly yours,\n\x0c                            Department of Homeland Security\n                   United States Citizenship and Immigration Services\n                        Information Technology Management Letter\n                                   September 30, 2009\n\n                   INFORMATION TECHNOLOGY MANAGEMENT LETTER\n\n                                      TABLE OF CONTENTS\n\n                                                                                                    Page\nObjective, Scope and Approach \n\n                                                                                                        1\n \n\nSummary of Findings and Recommendations \n\n                                                                                                        3\n \n\nIT General Control Findings by Audit Area \n\n                                                                                                        4\n\n Findings Contributing to a Material Weakness Deficiency in IT \n\n                                                                                                        4\n       Configuration Management\n                                                                                                        4\n \n\n       Security Management \n                                                                            4\n\n       Access Controls\n                                                                                                        4\n \n\n       Segregation of Duties                                                                            4\n \n\n\n\nApplication Controls\n                                                                                                        8\n \n\n\n                                                                                                        8\n \n\nManagement\xe2\x80\x99s Comments and OIG Response\n                                          APPENDICES\n \n\n\nAppendix                                          Subject                                           Page\n\n\n           Description of Key USCIS Financial Systems and IT Infrastructure within the Scope of \n\n   A                                                                                                9\n           the FY 2009 Financial Statement Audit\n\n\n   B       FY 2009 Notices of IT Findings and Recommendations at USCIS                              11 \n\n\n               -   Notice of Findings and Recommendations \xe2\x80\x93 Definition of \n\n                                                                                                    12\n                   Severity Ratings \n\n\n   C       Status of Prior Year Notices of Findings and Recommendations and Comparison to           21 \n\n           Current Year Notices of Findings and Recommendations at USCIS\n\n   D       Management\xe2\x80\x99s Comments                                                                    23 \n\n\n   E       Report Distribution                                                                      29 \n\n\x0c                             Department of Homeland Security\n \n\n                    United States Citizenship and Immigration Services \n\n                         Information Technology Management Letter\n                                    September 30, 2009\n\n                      OBJECTIVE, SCOPE AND APPROACH\n\nWe have audited the US Citizenship and Immigration Services (USCIS) balance sheet as of\nSeptember 30, 2009. In connection with our audit of USCIS\xe2\x80\x99s balance sheet we performed an\nevaluation of information technology general controls (ITGC), to assist in planning and performing\nour audit. The U.S. Department of Homeland Security \xe2\x80\x93 Bureau of Immigration and Customs\nEnforcement (ICE) hosts key financial applications for USCIS. As such, our audit procedures over\ninformation technology (IT) general controls for USCIS included testing of the ICE\xe2\x80\x99s Active\nDirectory\\Exchange (ADEX) network and the Federal Financial Management System (FFMS)\npolicies, procedures, and practices, as well as USCIS policies, procedures and practices at USCIS\nHeadquarters.\n\nThe Federal Information System Controls Audit Manual (FISCAM), issued by the Government\nAccountability Office (GAO), formed the basis of our audit. The scope of the USCIS IT general\ncontrols assessment is described in Appendix A. FISCAM was designed to inform financial\nauditors about IT controls and related audit concerns to assist them in planning their audit work and\nto integrate the work of auditors with other aspects of the financial audit. FISCAM also provides\nguidance to IT auditors when considering the scope and extent of review that generally should be\nperformed when evaluating general controls and the IT environment of a federal agency. FISCAM\ndefines the following five control functions to be essential to the effective operation of the general\nIT controls environment.\n\n\xef\xbf\xbd\t Security Management (SM) \xe2\x80\x93 Controls that provide a framework and continuing cycle of\n   activity for managing risk, developing security policies, assigning responsibilities, and\n   monitoring the adequacy of computer-related security controls.\n\xef\xbf\xbd\t Access Control (AC) \xe2\x80\x93 Controls that limit or detect access to computer resources (data,\n   programs, equipment, and facilities) and protect against unauthorized modification, loss, and\n   disclosure.\n\xef\xbf\xbd\t Configuration Management (CM) \xe2\x80\x93 Controls that help to prevent unauthorized changes to\n   information system resources (software programs and hardware configurations) and provides\n   reasonable assurance that systems are configured and operating securely and as intended.\n\xef\xbf\xbd\t Segregation of duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n   structure to manage who can control key aspects of computer-related operations.\n\xef\xbf\xbd\t Contingency Planning (CP) \xe2\x80\x93 Controls that involve procedures for continuing critical operations\n   without interruption, or with prompt resumption, when unexpected events occur.\n\n\nTo complement our general IT controls audit procedures, we also performed technical security\ntesting for key network and system devices, as well as testing over key financial application\ncontrols in the ICE environment. The technical security testing was performed both over the\nInternet and from within select ICE facilities, and focused on test, development, and production\ndevices that directly support USCIS general support systems.\n\n\n                                         1\n\n  Information Technology Management Letter for the FY 2009 USCIS Financial Statement \n\n                                       Audit\n \n\n\x0c                             Department of Homeland Security\n \n\n                    United States Citizenship and Immigration Services \n\n                         Information Technology Management Letter\n                                    September 30, 2009\n\nIn addition to testing the general control environment, we performed application control tests on a\nlimited number of ICE\xe2\x80\x99s financial systems and applications. The application control testing was\nperformed to assess the controls that support USCIS financial systems\xe2\x80\x99 internal controls over the\ninput, processing, and output of financial data and transactions.\n\n   \xef\xbf\xbd\t Application Controls (APC) - Application controls are the structure, policies, and\n      procedures that apply to separate, individual application systems, such as accounts payable,\n      inventory, or payroll.\n\n\n\n\n                                         2\n\n  Information Technology Management Letter for the FY 2009 USCIS Financial Statement \n\n                                       Audit\n \n\n\x0c                             Department of Homeland Security\n \n\n                    United States Citizenship and Immigration Services \n\n                         Information Technology Management Letter\n                                    September 30, 2009\n\n         SUMMARY OF FINDINGS AND RECOMMENDATIONS\nDuring FY 2009, we noted that USCIS made minimal progress in addressing its previously\nidentified IT internal control weaknesses. Therefore, due to USCIS\xe2\x80\x99s lack of prioritization of the\nissues, all seven (7) were reissued. During our review, we continued to identify IT general control\nweaknesses that could potentially impact USCIS\xe2\x80\x99s financial data. The most significant weaknesses\nfrom a financial statement audit perspective related to controls over the FFMS and the weaknesses\nover physical security and security awareness. Collectively, the IT control weaknesses limited\nUSCIS\xe2\x80\x99s ability to ensure that critical financial and operational data were maintained in such a\nmanner to ensure confidentiality, integrity, and availability. In addition, these weaknesses\nnegatively impacted the internal controls over USCIS financial reporting and its operation and we\nconsider them to collectively represent a material weakness for USCIS under standards established\nby the American Institute of Certified Public Accountants (AICPA). In addition, based upon the\nresults of our test work, we noted that USCIS did not fully comply with the requirements of the\nFederal Financial Management Improvement Act (FFMIA).\nOf the 19 findings identified during our FY 2009 testing, 12 were new IT findings. These findings\nrepresent weaknesses in four of the five FISCAM key control areas. Specifically, 1) a lack of\nstrong password management and audit logging within the financial applications, 2) security\nmanagement issues involving staff security training and exit processing procedure weaknesses, 3)\ninadequately designed and operating configuration management, and 4) the lack of effective\nsegregation of duties controls within financial applications. These weaknesses may increase the risk\nthat the confidentiality, integrity, and availability of system controls and USCIS financial data could\nbe exploited thereby compromising the integrity of financial data used by management and reported\nin USCIS\xe2\x80\x99s financial statements.\nUSCIS management should ensure that there is emphasis placed on the completion, monitoring and\nenforcement of IT security-related policies and procedures. On-going measures to improve the IT\nsecurity considerations for key financial systems utilized by USCIS and implement effective access\ncontrols, segregation of duties and configuration management controls need to be completed.\nWhile the recommendations made by KPMG should be considered by USCIS, it is the ultimate\nresponsibility of USCIS management to determine the most appropriate method(s) for addressing\nthe weaknesses identified based on their system capabilities and available resources.\n\n\n\n\n                                         3\n\n  Information Technology Management Letter for the FY 2009 USCIS Financial Statement \n\n                                       Audit\n \n\n\x0c                              Department of Homeland Security\n \n\n                     United States Citizenship and Immigration Services \n\n                          Information Technology Management Letter\n                                     September 30, 2009\n\nIT GENERAL CONTROL FINDINGS BY AUDIT AREA\n\nFindings Contributing to a Material Weakness Deficiency in IT\n\nDuring the FY 2009 financial statement audit, we identified the following IT control deficiencies\nthat are considered a material weakness:\n\n1.       Configuration Management \xe2\x80\x93 we noted:\n\n         \xef\xbf\xbd\t Security configuration management weaknesses on the Active Directory Exchange\n            (ADEX). These weaknesses included default configuration settings, inadequate patches,\n            and weak password management.\n2.       Security Management \xe2\x80\x93 we identified:\n         \xef\xbf\xbd\t Background investigations are not conducted in a timely manner.\n         \xef\xbf\xbd\t Procedures for transferred/terminated personnel exit processing are not finalized.\n         \xef\xbf\xbd\t IT Security training is not mandatory nor is compliance monitored.\n3.       Access controls \xe2\x80\x93 we identified:\n         \xef\xbf\xbd\t Ineffective safeguards over physical access to sensitive facilities and resources.\n         \xef\xbf\xbd\t The following account management weaknesses over ADEX, CLAIMS 3 LAN, and\n            CLAIMS 4:\n             \xef\xbf\xbd\t The lack of recertification of system administrators and system users.\n             \xef\xbf\xbd\t Inefficient definition and documentation of CLAIMS 3 LAN and CLAIMS 4 access\n                roles were noted.\n             \xef\xbf\xbd\t User access is not documented and maintained for CLAIMS 3 LAN and CLAIMS\n                4.\n             \xef\xbf\xbd\t CLAIMS 3 LAN and CLAIMS 4 password configurations do not meet DHS\n                requirements.\n             \xef\xbf\xbd\t Terminated personnel still have active user accounts within CLAIMS 3 LAN and\n                CLAIMS 4.\n             \xef\xbf\xbd\t Generic user accounts exist for the CLAIMS 3 LAN.\n         \xef\xbf\xbd\t Lack of policies and procedures for maintaining and reviewing CLAIMS 3 LAN and\n            CLAIMS 4 audit logs.\n         \xef\xbf\xbd\t Lack of processes in place for sanitization of equipment and media.\n4.       Segregation of Duties\xe2\x80\x93 we identified:\n         \xef\xbf\xbd\t Segregation of duties controls were not enforced through access authorizations in\n            CLAIMS 4.\n                                            4\n\n     Information Technology Management Letter for the FY 2009 USCIS Financial Statement \n\n                                          Audit\n \n\n\x0c                              Department of Homeland Security\n \n\n                     United States Citizenship and Immigration Services \n\n                          Information Technology Management Letter\n                                     September 30, 2009\n\nRecommendations: Unless specifically noted where USCIS needs to take specific corrective action,\nwe recommend that the USCIS Chief Information Officer (CIO) and Chief Financial Officer (CFO),\nin coordination with the ICE Office of Chief Financial Officer and the ICE Office of the Chief\nInformation Officer, make the following improvements to ICE\xe2\x80\x99s information technology:\n1.\t       Configuration Management:\n          \xef\xbf\xbd\t          Redistribute procedures and train employees on continuously monitoring and\n                  mitigating vulnerabilities. In addition, we recommend that ICE periodically monitor\n                  the existence of unnecessary services and protocols running on their servers and\n                  network devices, in addition to deploying patches.\n          \xef\xbf\xbd\t          Perform vulnerability assessments and penetration tests on all offices of the\n                  ICE, from a centrally managed location with a standardized reporting mechanism\n                  that allows for trending, on a regularly scheduled basis in accordance with NIST\n                  guidance.\n          \xef\xbf\xbd\t         Develop a more thorough approach to track and mitigate configuration\n                  management and resource vulnerabilities identified during monthly scans. ICE\n                  should monitor the vulnerability reports for necessary or required configuration\n                  changes to their environment.\n          \xef\xbf\xbd\t          Develop a process to verify that systems identified with \xe2\x80\x9cHIGH/MEDUIM\n                  Risk\xe2\x80\x9d configuration vulnerabilities do not appear on subsequent monthly\n                  vulnerability scan reports, unless they are verified and documented as a false-\n                  positive. All risks identified during the monthly scans should be mitigated\n                  immediately, and not be allowed to remain dormant.\n          \xef\xbf\xbd\t          Implement the corrective actions identified during the audit vulnerability\n                  assessment as identified in the issued NFR.\n\n2.        S\n          \t ecurity Management:\n          \xef\xbf\xbd\t Periodically review personnel files to confirm background investigations have been\n             completed in accordance with DHS standards.\n          \xef\xbf\xbd\t Adhere to exit clearance procedures and enforce personnel adherence in the event of\n             transfer\\termination.\n          \xef\xbf\xbd\t Implement mandatory requirements for IT security personnel to complete training\n             consistent with their job duties.\n          \xef\xbf\xbd\t Establish and implement requirements for personnel to complete Computer Security\n             Awareness training annually. Also, develop a process to disable user accounts and\n             access privileges for non compliant staff.\n3.         Access Controls:\n          \xef\xbf\xbd\t Establish and implement emergency exit and re-entry procedures at the Technology\n             Engineering Consolidation Center (TECC).\n\n                                             5\n\n      Information Technology Management Letter for the FY 2009 USCIS Financial Statement \n\n                                           Audit\n \n\n\x0c                             Department of Homeland Security\n \n\n                    United States Citizenship and Immigration Services \n\n                         Information Technology Management Letter\n                                    September 30, 2009\n\n       \xef\xbf\xbd\t Implement effective physical access controls over the server cage which houses USCIS\n          servers at the TECC.\n       \xef\xbf\xbd\t Conduct and document annual reviews of application users and users with system\n          administrator access to ADEX.\n       \xef\xbf\xbd\t Establish and enforce procedures for the completion and maintenance of user access\n          forms for CLAIMS 3 LAN and CLAIMS 4 across all service centers.\n       \xef\xbf\xbd\t Establish a process to ensure CLAIMS 3 LAN and CLAIMS 4 are configured to meet\n          DHS password configuration requirements.\n       \xef\xbf\xbd\t Develop and implement policies and procedures to remove terminated users and generic\n          accounts from the CLAIMS 3 LAN.\n       \xef\xbf\xbd\t Establish a process to review and maintain system audit logs.\n\n4. \t Segregation of Duties:\n         \xef\xbf\xbd\t Define and document the policies and procedures for identifying and approving\n            CLAIMS 4 user roles\\profiles to include user responsibilities and segregation of duties\n            initiatives.\n\n\nUSCIS Specific Recommendations:\n\n5. \t    We recommend that the offices of the USCIS CIO, ICE CIO, and DHS CIO coordinate to\n        develop an Interagency Agreement for the ICE/USCIS relationship. The agreement should\n        be developed using appropriate guidance from NIST 800-53. Specific to this NFR, the\n        Interagency Agreement should document the processes by which ICE will notify USCIS of\n        its planned remediation of the ADEX security vulnerabilities. USCIS should further take a\n        proactive approach in monitoring the resolution of the ADEX vulnerabilities.\n6. \t    The USCIS CIO should ensure that USCIS has a sound understanding of the ICE security\n        vulnerabilities that affect USCIS data integrity. USCIS should then develop remediation\n        plans and compensating controls, as applicable, to address potential data integrity issues.\n        For example, more frequent reconciliation of financial accounts may be required.\n\n\n\nCause\\Effect:\nThe ICE agency is not continuously monitoring the ICE ADEX General Support System (GSS)\nvulnerability assessment scans for patch and configuration management vulnerabilities. USCIS\nmanagement has not proactively coordinated with ICE to establish a detailed and documented\nInteragency Agreement for the IT services provided by ICE. As a result, default configuration\ninstallations and unnecessary services operating on the ICE ADEX devices increases the ability to\ncompromise the availability, integrity, and confidentiality of financial data on the network.\nAdditionally, failure to apply critical vendor security patches exposes system and network devices\nto new and existing vulnerabilities. This can expose the information system controls environment\n\n                                          6\n\n   Information Technology Management Letter for the FY 2009 USCIS Financial Statement \n\n                                        Audit\n \n\n\x0c                             Department of Homeland Security\n \n\n                    United States Citizenship and Immigration Services \n\n                         Information Technology Management Letter\n                                    September 30, 2009\n\nto security breaches, unauthorized access, service interruptions, and denial of service attacks. These\nweak IT controls at ICE, specifically with ADEX, have a direct and significant negative impact on\nUSCIS financial data integrity. Consequently, USCIS requires additional resources to implement\ncompensating controls needed to ensure fair presentation of its financial statements.\n\nDue to a lack of USCIS management oversight, the controls environment remains weak and needs\noverall improvement. The lack of a strong controls environment increases the risk of improper\nhandling of sensitive information, unauthorized access to financial data, improper staff training,\nand improper segregation of duties and least privilege principles.\n\nReasonable assurance should be provided that system user access levels are limited and monitored\nfor appropriateness. The weaknesses identified within USCIS\xe2\x80\x99s access controls increases the risk\nthat staff may have access to a system that is outside the realm of their job responsibilities. This\naccess could allow a person to intentionally or inadvertently use various functions to alter the\nintegrity of executable files and scripts within the financial system.\n\nCriteria: The Federal Information Security Management Act (FISMA) passed as part of the\nElectronic Government Act of 2002, mandates that Federal entities maintain IT security programs in\naccordance with OMB and NIST guidance. OMB Circular No. A-130, Management of Federal\nInformation Resources, and various NIST guidelines describe specific essential criteria for\nmaintaining effective general IT controls. FFMIA sets forth legislation prescribing policies and\nstandards for executive departments and agencies to follow in developing, operating, evaluating,\nand reporting on financial management systems. The purpose of FFMIA is to: (1) to provide for\nconsistency of accounting by an agency from one fiscal year to the next, and uniform accounting\nstandards throughout the Federal Government; (2) require Federal financial management systems to\nsupport full disclosure of Federal financial data, including the full costs of Federal programs and\nactivities; (3) increase the accountability and credibility of federal financial management; (4)\nimprove performance, productivity and efficiency of Federal Government financial management;\nand (5) establish financial management systems to support controlling the cost of the Federal\nGovernment. In closing, for this year\xe2\x80\x99s IT audit we assessed the DHS component\xe2\x80\x99s compliance\nwith DHS Sensitive System Policy Directive 4300A.\n\n\n\n\n                                         7\n\n  Information Technology Management Letter for the FY 2009 USCIS Financial Statement \n\n                                       Audit\n \n\n\x0c                             Department of Homeland Security\n \n\n                    United States Citizenship and Immigration Services \n\n                         Information Technology Management Letter\n                                    September 30, 2009\n\n\n\n\n                      APPLICATION CONTROL FINDINGS\n\nWe did not identify any IT findings in the area of application controls during the FY 2009 Financial\nStatement Audit Engagement.\n\n\n\n\n          MANAGEMENT\xe2\x80\x99S COMMENTS AND OIG RESPONSE\n\nWe obtained written comments on a draft of this report from the USCIS management. USCIS\nmanagement agreed with our findings and recommendations. USCIS management has developed a\nremediation plan to address these findings and recommendations. A copy of the comments is\nincluded in Appendix D.\n\n\nOIG Response\n\n\nWe agree with the steps that USCIS management is taking to satisfy these recommendations.\n\n\n\n\n                                         8\n  Information Technology Management Letter for the FY 2009 USCIS Financial Statement \n\n                                       Audit\n \n\n\x0c                                                                        Appendix A\n\n                        Department of Homeland Security\n\n               United States Citizenship and Immigration Services \n\n                    Information Technology Management Letter\n                               September 30, 2009\n\n\n\n\n                                  Appendix A\n\n\n Description of Key USCIS Financial Systems and IT Infrastructure\n     within the Scope of the FY 2009 Financial Statement Audit\n\n\n\n\n                                       9\n\nInformation Technology Management Letter for the FY 2009 USCIS Financial Statement \n\n                                     Audit\n \n\n\x0c                                                                                     Appendix A\n\n                            Department of Homeland Security\n \n\n                   United States Citizenship and Immigration Services \n\n                        Information Technology Management Letter\n                                   September 30, 2009\n\n\n\nBelow is a description of significant USCIS and ICE financial management systems and supporting\ninformation technology (IT) infrastructure included in the scope of USCIS\xe2\x80\x99s fiscal year (FY) 2009\nFinancial Statement Audit.\n\n\nLocations of Review: USCIS Headquarters, Washington, DC; Verizon Data Center, Manassas, VA;\nVermont Service Center, Burlington, VT.\nICE Headquarters, Washington, DC; The Burlington Finance Center (BFC), Burlington, VT;\nDepartment of Commerce (DOC) Office of Computer Services (OCS), Springfield, VA.\n\n\nSystems Subject to Audit:\n\xef\xbf\xbd\t Federal Financial Management System (FFMS): It is used to create and maintain a record of\n   each allocation, commitment, obligation, travel advance and accounts receivable issued. It is\n   the system of record for the agency and supports all internal and external reporting\n   requirements.\n\n\xef\xbf\xbd\t ICE Network: The ICE Network, also known as the Active Directory\\Exchange (ADEX) E-mail\n   System, is the general support system (GSS) for ICE and other DHS components, such as the\n   USCIS.\n\xef\xbf\xbd\t Computer-Linked Application Management System (CLAIMS)3 Local Area Network (LAN):\n   Provides a decentralized LAN based system that supports the requirements of the Direct Mail\n   Phase I and II, Immigration Act of 1990 (IMMACT 90) and USCIS forms improvement\n   projects. The Claims 3 LAN is located at each of the service centers (Nebraska, California,\n   Texas, Vermont, and the National Benefits Center).\n\xef\xbf\xbd\t CLAIMS 4: The system is a client/server application that tracks and manages naturalization\n   applications. The central Oracle Database is located in Washington, DC while application\n   servers and client components are located throughout USCIS service centers and district offices.\n\n\n\n\n                                         10\n  Information Technology Management Letter for the FY 2009 USCIS Financial Statement \n\n                                       Audit\n \n\n\x0c                                                                          Appendix B\n\n                         Department of Homeland Security\n\n                United States Citizenship and Immigration Services \n\n                     Information Technology Management Letter\n                                September 30, 2009\n\n\n\n\n                                  Appendix B \n\nFY 2009 Notices of IT Findings and Recommendations at USCIS \n\n\n\n\n\n                                        11\n\n Information Technology Management Letter for the FY 2009 USCIS Financial Statement \n\n                                      Audit\n \n\n\x0c                                                                                       Appendix B\n\n                             Department of Homeland Security\n                    United States Citizenship and Immigration Services\n                         Information Technology Management Letter\n                                    September 30, 2009\n\n\n\n\nNotice of Findings and Recommendations (NFR) \xe2\x80\x93 Definition of Severity Ratings:\n\nEach NFR listed in Appendix B is assigned a severity rating from 1 to 3 indicating the influence on\nthe Department of Homeland Security (DHS) Consolidated Independent Auditors Report.\n\n      1 \xe2\x80\x93 Not substantial \n\n      2 \xe2\x80\x93 Less significant \n\n      3 \xe2\x80\x93 More significant \n\n\nThe severity ratings indicate the degree to which the deficiency influenced the determination of\nseverity for consolidated reporting purposes.\n\nThese rating are provided only to assist USCIS in the development of its corrective action plans for\nremediation of the deficiency.\n\n\n\n\n                                         12\n  Information Technology Management Letter for the FY 2009 USCIS Financial Statement \n\n                                       Audit\n \n\n\x0c                                                                                                                                       Appendix B\n\n                                               Department of Homeland Security\n \n\n                                      United States Citizenship and Immigration Services \n\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                                                                                                                       Repeat   Severity\nNFR #     Condition                                                  Recommendation                                        New Issue\n                                                                                                                                       Issue    Rating\nCIS-IT\xc2\xad   We inspected the National Benefits Center (NBC)            Continue to define and document the various                           X        2\n09-01     CLAIMS        3    LAN     user    role/responsibilities   CLAIMS 3 LAN roles and their associated\n          documentation and determined that the system settings      responsibilities for the remaining service centers.\n          and assigned user roles within the system do not\n          accurately reflect documented user responsibilities.\nCIS-IT\xc2\xad   NBC does not perform periodic CLAIMS 3 LAN user            Establish and implement policies and procedures                      X         2\n09-02     access reviews to ensure that users\' level of access       for handling, reviewing, and retention of Claims 3\n          remains appropriate and there are no procedures            LAN user account request forms.\n          established for performing periodic reviews.\n\n\n\nCIS-IT\xc2\xad   Management at the USCIS Headquarters (HQ) and the          Establish and enforce procedures for the                             X         2\n09-03     Service Center, Vermont has not completed or               completion and maintenance of user access forms\n          inadequately documented access forms for CLAIMS 3          for CLAIMS 3LAN and CLAIMS 4 for all the\n          LAN and CLAIMS 4, system users.                            service centers.\n\n\nCIS-IT\xc2\xad   The USCIS HQ has not maintained or documented a            Conduct and document annual reviews of all users                     X         2\n09-04     selection    of   system administrator\xe2\x80\x99s access            with Active Directory system administrator access.\n          authorization forms.\n\n\n\n\n                                                         13\n               Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit\n\x0c                                                                                                                                   Appendix B\n\n                                              Department of Homeland Security\n \n\n                                     United States Citizenship and Immigration Services \n\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                                                                                                                   Repeat   Severity\nNFR #     Condition                                                Recommendation                                      New Issue\n                                                                                                                                   Issue    Rating\nCIS-IT\xc2\xad   The biometric facial recognition scanner allowed         \xef\xbf\xbd   Establish and implement backup media                            X        2\n09-06     unauthorized personnel access to USCIS server room,          retention and rotation policies.\n          and procedures regarding removal, authorization, and     \xef\xbf\xbd   Establish and implement emergency exit and\n          logging of USCIS backup media are not in place for           re-entry procedures.\n          the Technology Engineering Consolidation Center\n                                                                   \xef\xbf\xbd   Develop a process that assures all resources\n          (TECC).\n                                                                       with access to the USCIS resources adhere to\n                                                                       the policy and procedure.\n                                                                   \xef\xbf\xbd   Implement stronger physical access controls\n                                                                       over the server cage door to prevent further\n                                                                       unauthorized access\n\nCIS-IT\xc2\xad   USCIS has not finalized a policy that outlines the       Update and finalize their policies and procedures                  X         2\n09-07     process for developing forms for labeling and tracking   to reflect their current media sanitization\n          the disposition process or provided clear instructions   operation.\n          for conducting media wipes or purges of data.\nCIS-IT\xc2\xad   USCIS does not recertify its system administrator        Management should establish a more timely                          X         2\n09-08     accounts on an annual basis.                             process to perform a periodic review of user\n                                                                   accounts ensuring proper authorization and\n                                                                   training.\nCIS-IT\xc2\xad   CLAIMS 3 LAN password re-use and length                  \xef\xbf\xbd Establish a process to ensure that USCIS             X                     2\n09-09     configurations does not meet DHS standards.                  systems are configured to meet minimum DHS\n          CLAIMS 3 LAN generic user accounts was not timely            password configurations and requirements.\n          removed because of a lack of user account                \xef\xbf\xbd Remove all generic accounts to CLAIMS 3\n          recertification.                                             LAN production systems and perform periodic\n                                                                       reviews of the user access list to ensure\n                                                                       compliance.\n\n\n\n\n                                                         14\n               Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit\n\x0c                                                                                                                                  Appendix B\n\n                                             Department of Homeland Security\n \n\n                                    United States Citizenship and Immigration Services \n\n                                         Information Technology Management Letter\n                                                    September 30, 2009\n\n                                                                                                                                  Repeat   Severity\nNFR #     Condition                                              Recommendation                                       New Issue\n                                                                                                                                  Issue    Rating\nCIS-IT\xc2\xad   CLAIMS 4 LAN password configuration settings does      We recommend that USCIS establish a process to          X                     2\n09-10     not meet DHS4300A password standards.                  ensure CLAIMS 4 LAN is configured to meet\n                                                                 DHS4300A password configuration standards.\n\nCIS-IT\xc2\xad   We identified that an inadequate background            We recommend that USCIS management                      X                     2\n09-11     investigation was performed and documented for one     periodically review personnel files to confirm\n          new hire personnel from a sample of 25.                background investigations have been completed in\n                                                                 accordance with DHS standards.\nCIS-IT\xc2\xad   We inspected a sample of personnel that had            We recommend that USCIS management adhere to            X                     2\n09-12     terminated/transferred from their employment with      exit clearance procedures and require personnel to\n          USCIS. Of the 28 terminated/transferred USCIS          follow them in an event of transfer/termination.\n          personnel sampled, evidence of compliance with exit\n          clearance procedures could not be provided for 19\n          employees.\nCIS-IT\xc2\xad   Vermont Service Center (VSC) has ineffective           \xef\xbf\xbd Establish and implement procedures for                X                     2\n09-13     safeguards over the computer room in the Office of       maintaining and authorizing the OIT\xe2\x80\x99s\n          Information Technology (OIT). VSC procedures             computer room access list.\n          regarding the removal, authorization and logging of    \xef\xbf\xbd Establish and implement backup media\n          backup media are not in place. VSC procedures for        retention and rotation policies.\n          ensuring accuracy and completeness over visitor logs   \xef\xbf\xbd Enforce completeness and accuracy over visitor\n          are not enforced.                                        information in logs.\n\n\n\n\n                                                        15\n              Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit\n\x0c                                                                                                                                      Appendix B\n\n                                               Department of Homeland Security\n \n\n                                      United States Citizenship and Immigration Services \n\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                                                                                                                      Repeat   Severity\nNFR #     Condition                                                  Recommendation                                       New Issue\n                                                                                                                                      Issue    Rating\nCIS-IT\xc2\xad   During our testing of access controls for FFMS, in our     We recommend that USCIS establish and enforce           X                     2\n09-14     sample of 25 active users, we noted one user\xe2\x80\x99s access      policies and procedures that ensure that roles and\n          was excessive, based on the access approved by their       responsibilities are commensurate with their job\n          present supervisor. We learned that this user\xe2\x80\x99s profile    function.\n          was changed as the user relocated to a different service\n          center. However, when the profile change was\n          requested, the FFMS administrator did not remove all\n          previous access nor assure that the access rights were\n          current and authorized. As a result, the user had\n          excessive privileges for her role and responsibilities.\n          We also noted that the USCIS SOP did not reflect this\n          procedure though we learned through inquiry that the\n          FFMS administrators are required to remove all prior\n          access when performing a profile change.\n\n          As a result of our test work, USCIS responded by\n          removing the excessive access to reflect the user\xe2\x80\x99s role\n          and responsibilities. In addition, USCIS updated their\n          SOP to require all previous access to be confirmed and\n          removed prior to granting new access roles.\n\nCIS-IT\xc2\xad   We identified a lack of audit logging policies over the    We recommend that USCIS establish and enforce           X                     2\n09-15     application and server logs for the CLAIMS 3 and           policies and procedures for maintenance and\n          CLAIMS 4 LAN system.                                       review of audit logging.\n\n\n\n\n                                                         16\n               Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit\n\x0c                                                                                                                                    Appendix B\n\n                                              Department of Homeland Security\n \n\n                                     United States Citizenship and Immigration Services \n\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                                                                                                                    Repeat   Severity\nNFR #     Condition                                               Recommendation                                        New Issue\n                                                                                                                                    Issue    Rating\nCIS-IT\xc2\xad   We identified weaknesses within access controls for     \xef\xbf\xbd Establish and implement policies and                   X                     2\n09-16     CLAIMS 4 over lack of procedures for recertifying          procedures for the handling, periodically\n          user access, lack of evidence of least privilege and       reviewing, and retaining CLAIMS 4 user\n          segregation of duties controls, and untimely removal       account request forms.\n          of terminated personnel accounts.                       \xef\xbf\xbd Define and document policies and procedures\n                                                                     for identifying and approving CLAIMS 4 user\n                                                                     roles/profiles    to     include   the    user\xe2\x80\x99s\n                                                                     responsibilities. In addition, the policies and\n                                                                     procedures should address and implement\n                                                                     segregation of duties procedures.\n                                                                  \xef\xbf\xbd Develop policies and procedures for the\n                                                                     removal of transferred/terminated users within\n                                                                     CLAIMS 4 upon their separation from USCIS.\nCIS-IT\xc2\xad   We identified weaknesses within monthly trainings of    We recommend that USCIS management                       X                     2\n09-17     USCIS\xe2\x80\x99 ISSOs.                                           implement mandatory training requirements for IT\n                                                                  security personnel to complete training consistent\n                                                                  with their job function duties.\nCIS-IT\xc2\xad   We determined that weaknesses exist related to          We recommend that USCIS management develop               X                     2\n09-18     CLAIMS3 LAN access. Specifically, we identified 21      and implement policies and procedures for the\n          users which were separated from USCIS and still         removal of separated users within CLAIMS 3\n          retained access to the CLAIM3 LAN.                      LAN upon their separation.\n\n\nCIS-IT\xc2\xad   We tested a sample of personnel that were required to   \xef\xbf\xbd   Establish and implement requirements for             X                     2\n09-19     complete annual Computer Security Awareness                 personnel to complete Computer Security\n          Training during the fiscal year. Of the thirty (30)         Awareness Training annually.\n          personnel sampled, evidence of compliance could not     \xef\xbf\xbd   Develop a process to disable user accounts and\n          be provided for two (2) employees. Additionally,            access privileges in accordance with DHS\n          procedures are not in place to disable user accounts        policies for employees not in compliance.\n\n\n                                                         17\n               Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit\n\x0c                                                                                                                                      Appendix B\n\n                                               Department of Homeland Security\n \n\n                                      United States Citizenship and Immigration Services \n\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                                                                                                                      Repeat   Severity\nNFR #     Condition                                                 Recommendation                                        New Issue\n                                                                                                                                      Issue    Rating\n          and access privileges if annual training is not\n          completed on a timely basis.\n\n\n\n\nCIS-IT\xc2\xad   During the internal vulnerability assessment efforts of                                                            X                 N\\A-\n                                                                    In addition to addressing the specific\n09-20     network servers and systems we identified several                                                                                    Issued\n          High/ Medium Risk vulnerabilities, related to             vulnerabilities identified in the condition, ICE                           after\n          configuration management. We determined that              should:                                                                    release of\n          security configuration management weaknesses (i.e.,       \xef\xbf\xbd    Redistribute procedures and train employees                           DHS audit\n          missing security patches and incorrect configuration           on continuously monitoring and mitigating                             report\n          settings) exist on hosts supporting the ICE.                   vulnerabilities. In addition, we recommend\n                                                                         that ICE periodically monitor the existence of\n                                                                         unnecessary services and protocols running\n                                                                         on their servers and network devices, in\n                                                                         addition to deploying patches.\n                                                                    \xef\xbf\xbd    Perform vulnerability assessments and\n                                                                         penetration tests on all offices of the ICE,\n                                                                         from a centrally managed location with a\n                                                                         standardized reporting mechanism that\n                                                                         allows for trending, on a regularly scheduled\n                                                                         basis in accordance with NIST guidance.\n                                                                    \xef\xbf\xbd    Develop a more thorough approach to track\n                                                                         and mitigate configuration management\n                                                                         vulnerabilities identified during monthly\n                                                                         scans. ICE should monitor the vulnerability\n                                                                         reports    for     necessary    or    required\n                                                                         configuration changes to their environment.\n\n\n                                                         18\n               Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit\n\x0c                                                                                                                       Appendix B\n\n                                       Department of Homeland Security\n \n\n                              United States Citizenship and Immigration Services \n\n                                   Information Technology Management Letter\n                                              September 30, 2009\n\n                                                                                                                       Repeat   Severity\nNFR #   Condition                                    Recommendation                                        New Issue\n                                                                                                                       Issue    Rating\n                                                     \xef\xbf\xbd    Develop a process to verify that systems\n                                                          identified with \xe2\x80\x9cHIGH/MEDUIM Risk\xe2\x80\x9d\n                                                          configuration vulnerabilities do not appear on\n                                                          subsequent monthly vulnerability scan\n                                                          reports, unless they are verified and\n                                                          documented as a false-positive. All risks\n                                                          identified during the monthly scans should be\n                                                          mitigated immediately, and not be allowed to\n                                                          remain dormant.\n                                                     USCIS should:\n                                                     \xef\xbf\xbd   We recommend that the offices of the USCIS\n                                                         CIO, ICE CIO, and DHS CIO coordinate to\n                                                         develop an Interagency Agreement for the\n                                                         ICE/USCIS relationship. The agreement\n                                                         should be developed using appropriate\n                                                         guidance from NIST 800-53. Specific to this\n                                                         NFR, the Interagency Agreement should\n                                                         document the processes by which ICE will\n                                                         notify USCIS of its planned remediation of the\n                                                         ADEX security vulnerabilities. USCIS should\n                                                         further take a proactive approach in\n                                                         monitoring the resolution of the ADEX\n                                                         vulnerabilities.\n                                                     \xef\xbf\xbd   The USCIS CIO should ensure that USCIS has\n                                                         a sound understanding of the ICE security\n                                                         vulnerabilities that affect USCIS data\n                                                         integrity. USCIS should then develop\n                                                         remediation plans and compensating controls,\n\n                                                      19\n            Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit\n\x0c                                                                                                                   Appendix B\n\n                                       Department of Homeland Security\n \n\n                              United States Citizenship and Immigration Services \n\n                                   Information Technology Management Letter\n                                              September 30, 2009\n\n                                                                                                                   Repeat   Severity\nNFR #   Condition                                    Recommendation                                    New Issue\n                                                                                                                   Issue    Rating\n                                                        as applicable, to address potential data\n                                                        integrity issues. For example, more frequent\n                                                        reconciliation of financial accounts may be\n                                                        required.\n\n\n\n\n                                                      20\n            Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit\n\x0c                                                                        Appendix C\n\n                        Department of Homeland Security\n\n               United States Citizenship and Immigration Services \n\n                    Information Technology Management Letter\n                               September 30, 2009\n\n\n\n\n                                 Appendix C \n\n\nStatus of Prior Year Notices of Findings and Recommendations \n\n                      and Comparison to\n \n\n Current Year Notices of Findings and Recommendations at\n \n\n                                    USCIS\n \n\n\n\n\n\n                                       21\nInformation Technology Management Letter for the FY 2009 USCIS Financial Statement \n\n                                     Audit\n \n\n\x0c                                                                                      Appendix C\n\n                                Department of Homeland Security\n                       United States Citizenship and Immigration Services\n                            Information Technology Management Letter\n                                       September 30, 2009\n\n\n\n\n                                                                                     Disposition\nNFR No.          Description                                                     Closed       Repeat\n\n                  Lack of Definition and Documentation of Access Roles at the\n  CIS-IT-08-01                                                                                 09-01\n                  National Benefits Center for CLAIMS 3 LAN\n                  Periodic CLAIMS 3 LAN User Access Reviews are not Performed\n  CIS-IT-08-02    at the NBC                                                                   09-02\n\n                  Incomplete or Inadequate Access Request Forms for CLAIMS 3\n  CIS-IT-08-03    LAN, CLAIMS 4, and CISCOR System Users at Headquarters                       09-03\n                  and the Service Centers\n                  Ineffective Controls for Restricting Security Software Exist\n  CIS-IT-08-04                                                                                 09-04\n                  Weak Data Center Access Controls\n  CIS-IT-08-06                                                                                 09-06\n\n  CIS-IT-08-07    Equipment and Media Policies and Procedures are not Current                  09-07\n                  Weak Access Controls for Security Software Exist\n  CIS-IT-08-08                                                                                 09-08\n\n\n\n\n                                             22\n      Information Technology Management Letter for the FY 2009 USCIS Financial Statement \n\n                                           Audit\n \n\n\x0c                                                                        Appendix D\n\n                        Department of Homeland Security\n               United States Citizenship and Immigration Services\n                    Information Technology Management Letter\n                               September 30, 2009\n\n\n\n\n                                 Appendix D \n\n\n                  USCIS Management\xe2\x80\x99s Comments \n\n\n\n\n\n                                       23\n\nInformation Technology Management Letter for the FY 2009 USCIS Financial Statement \n\n                                     Audit\n \n\n\x0c                                                                                                                  Appendix D\n                                Department of Homeland Security \n\n                             Immigration and Customs Enforcement \n\n                            Information Technology Management Letter\n                                       September 30, 2009\n\n                                                                              U.S. Ut.>llartmcnl of Ilumcl:md St\'curilJ\n                                                                              U.S. Cnizcnship :lml IrnrlllgrauQn Sen ices\n                                                                              Ubic/! ufl/I/! Cltif\'f"!forl/ltl//Ull Ubic<\'"\n                                                                              Waihwgtol1. DC 2052\')\n\n                                                                              u.s. Citizenship\n                                                                              and Irrunigration\n                                                                              Services\n\n\n\n\n       April 28. 2010\n\n       Memorandum\n       TO:         Frank Deffer\n                   Assistant Inspector General for Information Technology Audit\n                   U.S. Dcpartment of Homeland Security\n\n       FROM: LeSlie Hope           ,-1/ IJ;~\n               V   C\'hief Inform ati[ b\'mccr, Acting\n\n       SUBJ ECT: Managcment Rcsponse to the IT Managemcnt Letter for the FY 2009 U.S.\n                 Citizenship and Immigration Services Financial Integrated Audit\n\n       We would like to thank you for the opp0rlunity to review and comment on the rr Managcment\n       Leiter for the FY 2009 U.S. Citizenship and Immigration Services Financial Integratcd Audit.\n       USCIS requests that your Office make the following changes to the Independent Auditor\'s IT\n       Management Letter report.\n\n       Except for the items notcd below, USCIS agrees <lnd accepts all finding, cOl11ments. and\n       conclusions the independent auditors exprcssed in the IT Management Letter report.\n\n       Findings Contributing to .a Material Weakness Deficiencv in IT\n\n       During the FY 2009 financial statemcnt audit, we identified the following IT control deficiency\n       that is considered a material weakness:\n\n       I. Configuration Management - we noted:\n\n          \xe2\x80\xa2   Security configuration management weakncsses on the Active Directory Exchangc\n              (ADEX). These weaknesses included default configuration scttings, inadequate patchcs,\n              and weak password management.\n\n      Recommendations: Unless specifically noted where USCIS needs to take specific corrective\n      action, we recommend that the USCIS Chief Infonnation Officer (CIO) and Chief Financial\n      Officer (CFO), in coordination with the ICE Office of Chief Financial Officer and the ICE Oflice\n\n\n\n                                                                              www.u:.cis.go\\,\n\n\n\n\n                                          24\nInformation Technology Management Letter for the FY 2009 USCIS Financial Statement Audit\n\x0c                                                                                                       Appendix D\n                               Department of Homeland Security \n\n                            Immigration and Customs Enforcement \n\n                           Information Technology Management Letter\n                                      September 30, 2009\n\n\n       Management Response to the IT Management Letter for the FY 2009 U.S. Citizenship and\n       Immigration Services Financial Integrated Audit\n       Page 2\n\n       of the Chieflnfonnation Officer, make the following improvemems to ICE\'s infonnation\n       technology security program:\n\n       Suggested Change:\n\n       "During the FY 2009 financial statement audit, we identified that the Immigration and Customs\n       Enforcement (ICE) Headquarters hosts the Active Directory Exchange (ADEX), General\n       Support System (GSS) and a key financial application for USCIS. We identified the following\n       ICE IT control deficiencies that significantly impact USCIS and are considered material\n       weaknesses:\n\n       I. Configuration Management - we noted:\n\n       Several HighlMedium risk vulnerabilities related to configuration management were identified.\n\n          \xe2\x80\xa2   Security configuration management weaknesses on the ICE\'s ADEX. These weaknesses\n              included default configuration settings, inadequate patches, and weak password\n              management.\n\n       Recommendations: Unless specifically noted where USCIS needs to take specific corrective\n       action, we recommend that the USCIS Chieflnfonnation Officer (CIO) and Chief Financial\n       Officer (CFO), in coordination with the ICE Office orChid Financial Officer and the ICE Office\n       of the Chief Infonnation Officer, make the following improvemcnts to ICE\'s infonnation\n       technology security program:\n\n      "ICE Specific Recommendations"\n\n       Your recommendation statement alludes to USCIS having control over actions to be perfonned\n       by ICE. Recommendations I through 5 are strictly ICE\'s actions within their control. Your\n       statement does not clearly identify these as actions ICE must take.\n\n       Other Findings\n\n      The following IT and financial system control deficiencies that contributed to a material\n      weakness are noted below:\n\n       I. Securily Management - we identified:\n\n          \xe2\x80\xa2   Background investigations are not conducted in a timely manner.\n          \xe2\x80\xa2   Procedures for transferredltenninated personnel exit processing are not finalized.\n          \xe2\x80\xa2   IT Security training is not mandatory nor is compliance monitored...\n\n      Recommendations: We recommend that the USCIS CIO and CFO, in coordination with the DHS\n      Office of Chief Financial Officer and the DHS Office ofthc Chieflnfonnation Officer, make the\n\n\n\n\n                                          25\nInformation Technology Management Letter for the FY 2009 USCIS Financial Statement Audit\n\x0c                                                                                                        Appendix D\n                               Department of Homeland Security \n\n                            Immigration and Customs Enforcement \n\n                           Information Technology Management Letter\n                                      September 30, 2009\n\n\n       Management Response to the IT Management Letter for the FY 2009 U.S. Citizenship and\n       Immigntion Services Financial Integrated Audit\n       Page 3\n\n       following improvements to USCIS\' financial management systems and associated information\n       technology security program."\n\n       Response Comment;\n\n      USCIS has realigned its mission support activitics undcr an Associate Director Management.\n      The new Associate Director has taken action to correct the three deficiencies under his span of\n      control.\n\n      Appendix A\n\n      Systems SubjectJO Audit\n\n          \xe2\x80\xa2   Computer Linked Application Management System (CLAIMS) 3 Local Area Network\n              (LAN): Provides a decentralized LAN based system that supports the requirements of\n              the Direct Mail Phase I and U, Immigntion Act of 1990 (IMMACT 90) and USCIS\n              fonns improvement projects. The Claims 3 LAN is located at each of the service centC13\n              (Nebraska, California, Texas., Vermont) and the National Benefits Center.\n\n      Suggested Change:\n\n          \xe2\x80\xa2   Computer Linked Application Management System (CLAIMS) 3 Local Area Network\n              (LAN): Provides a decentralized LAN based system that supports the requirements of\n              the Direct Mail Phase I and II, Immigration Act of 1990 (IMMACT 90) and USCIS\n              fonns improvement projccts. The CLAIMS 3 LAN is located at each of the service\n              centers (i.e., Nebraska, California, Texas, and Vermont) and the National Benefits\n              Center.\n\n      Appendix B - Notice of Findings and Recommendations Table\n\n      NFR II; CIS-IT-09-04\n\n      Condition; The USCIS HQ has not maintained or documented a selection of system\n      administrator\'s access authorization forms.\n\n      Recommendation: Conduct and document annual reviews of all users with Active Directory\n      systems administrator access."\n\n      Suggested Ch3llge:\n\n      Condition: The USCIS has not maintained or documented a selection ofADEX system\n      administrator\'s access authorization fonns.\n\n      Recommendation: Conduct and document annual reviews of all users with Active Directory\n      systems administrator access in coordination with ICE."\n\n\n\n\n                                          26\nInformation Technology Management Letter for the FY 2009 USCIS Financial Statement Audit\n\x0c                                                                                                       Appendix D\n                                Department of Homeland Security \n\n                             Immigration and Customs Enforcement \n\n                            Information Technology Management Letter\n                                       September 30, 2009\n\n\n       Management Response to the IT Management Letter for the FY 2009 U.S. Citizenship and\n       Immigrntion Services Financial Integrated Audit\n       Page 4\n\n\n       NFR #: CIS-IT-09-08\n\n       Condition: USCIS does not recertify its systcm administrator accounts on an annual basis.\n\n       Suggested Change:\n\n       Condition: USCIS does not recertify its Local PICS Officer (LPO) accounts on an annual basis.\n\n       NFR #: CIS\xc2\xb7IT\xc2\xb709\xc2\xb710\n\n       Condition: CLAIMS 4 LAN password configuration settings does not meet DHS 4300A\n       password standards.\n\n       Recommendation: We recommend that USCIS establish a process to ensure CLAIMS 4 LAN is\n       configured to meet DHS 4300A password configuration standards.\n\n       Suggested Change:\n\n       Condition: CLAIMS 4 password configuration setting for password history does not meet DHS\n       4300A password standards.\n\n       Recommendation: We recommend CLAIMS 4 password history selling be changed from 6\n       generations to 8 generations to meet DHS 4300A password configuration standards.\n\n       NFR II: CIS-IT-II and CIS-IT-12\n\n       Note: The OCIO is not the owner ofthcse processes. These NFRs were signed by and are the\n       responsibility of the Office of Security and Integrity (OSI) and the Office of Human Capital and\n       Training (HCT).\n\n       NFR #: CIS-IT-09-14\n\n      Note: The OCIO is not the owner of this process. This NFR was signed by and is the\n      responsibility of the OCFO. They grant, remove, and monitor access to FFMS.\n\n      NFR II: CIS\xc2\xb7IT\xc2\xb7OS\xc2\xb7OJ\n      Description: Lack of Definition and Documentation of Access Roles at the National Benefits\n      Center for CLAlMS 3 LAN.\n\n      NFR II: CIS~IT-08-04\n      Description: Ineffective Controls for Restricting Security Software Exist.\n\n      NFR#: CIS-IT-08-08\n      Description: Weak Access Controls for Security Software Exist.\n\n\n\n\n                                          27\nInformation Technology Management Letter for the FY 2009 USCIS Financial Statement Audit\n\x0c                                                                                                           Appendix D\n                                Department of Homeland Security \n\n                             Immigration and Customs Enforcement \n\n                            Information Technology Management Letter\n                                       September 30, 2009\n\n\n       Management Response to the IT Management Letter for the FY 2009 U.S. Citizenship and\n       Immigration Services Financial Integrated Audit\n       PageS\n\n\n       Suggested Change:\n\n       NFR #: CIS-IT-OS-Ql\n       Description: Inefficient Definition and Documentation of Access Roles at the National Benefits\n       Center for CLAIMS 3 LAN.\n\n       As stated, it gives the impression that Definition and Documentation of Access Roles do not\n       exist.\n\n       NFR #: CIS-IT-08-04\n       Description: Periodic Active Directory and Eltchange (ADEX) system administrator access\n       reviews are not perfonned at USCIS.\n\n       As stated, it gives the impression all controls related to security software are ineffective. The\n       signed NFR specifically addresses ADEX.\n\n       NFR #: CIS\xc2\xb7IT\xc2\xb708\xc2\xb708\n       Description: Weak Access Controls for Security Software Eltist within the Password Issuance\n       and Control System (PIeS).\n\n       As stated. it gives the impression all controls related to security software are weak. The signed\n       NFR specifically addresses PICS.\n\n       USCIS is committed to resolving all control deficiencies and weaknesses idenlified in the audit\n       and have prepared Mission Action Plans to resolve and improve the Agency\'s infomtation\n       technology controls.\n\n       USCIS appreciates the cooperation and respect that your staff provided during the course of the\n       audit and looks forward to continuing our strong working relationship with your office.\n\n       If you have any questions regarding our comments, plcase cOnlnct Leslie Hope, Acting Chief\n       Infonnation Officer at (202) 272-1018.\n\n\n\n\n                                          28\nInformation Technology Management Letter for the FY 2009 USCIS Financial Statement Audit\n\x0c                                                                               Appendix E\n                           Department of Homeland Security\n \n\n                        Immigration and Customs Enforcement \n\n                       Information Technology Management Letter\n                                  September 30, 2009\n\n\n\n\n                                   Appendix D \n\n\n                              Report Distribution \n\n\n\n\n\n                                          29\n\nInformation Technology Management Letter for the FY 2009 USCIS Financial Statement Audit\n\x0c                                                                               Appendix E\n                           Department of Homeland Security\n \n\n                        Immigration and Customs Enforcement \n\n                       Information Technology Management Letter\n                                  September 30, 2009\n\n   Report Distribution\n\n                 Department of Homeland Security\n\n                 Secretary\n\n                 Deputy Secretary \n\n                 General Counsel \n\n                 Chief of Staff \n\n                 Deputy Chief of Staff \n\n                 Executive Secretariat \n\n                 Under Secretary, Management \n\n                 Director, USCIS \n\n                 DHS Chief Information Officer \n\n                 DHS Chief Financial Officer \n\n                 Associate Director-Management, USCIS \n\n                 Acting Chief Financial Officer, USCIS \n\n                 Acting Chief Information Officer, USCIS \n\n                 Chief Information Security Officer \n\n                 Assistant Secretary, Policy \n\n                 Assistant Secretary for Public Affairs \n\n                 Assistant Secretary for Legislative Affairs \n\n                 DHS GAO OIG Audit Liaison \n\n                 Chief Information Officer, Audit Liaison \n\n                 USCIS Audit Liaison \n\n\n                 Office of Management and Budget\n\n                 Chief, Homeland Security Branch \n\n                 DHS OIG Budget Examiner \n\n\n                 Congress\n\n                 Congressional Oversight and Appropriations Committees as Appropriate\n\n\n\n\n                                          30\nInformation Technology Management Letter for the FY 2009 USCIS Financial Statement Audit\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'